not so clear about tls and replica

Hi,
Can someone give me some opinions on my OpenLDAP setup ( with some
questions on OpenLDAP). I setup OpenLDAP with TLS and it is working fine.
However, there are few questions that I am not sure about how TLS working
and some questions about slave replication.
1. when client connect to OpenLDAP server with TLS, does it use port 389
or port 636? ( I tried to test it with "openssl s_client -connect
ldap.example.com:389 blah blah.. ". when I used port 389, it faild but
port 636 is ok. Does it mean TLS always use port 636? )
2. I run my OpenLDAP server on both port 389 and 636 ( again with TLS ). I
have set "TLSVerifyClient demand". However, people can still search my
directory on port 389 as anonymous. I thought with "TLSVerifyClient
demand", client need to have a valid certificate in order to connect to
the server. is that right?
3. I have replication working between master/slave but I think the way I
am setting the replication is not very secure. can someone suggest a
better way to replica between the master/slave. Perphar something simple
without Kerberos ,etc... :)
4. on my slave's slapd.conf. I have this "updateref
ldap://server.example.com&quot; but I don't think this is right as I am using
TLS. I will assume this should be "updateref ldaps://server.example.com"
thanks
here is my slapd.conf files
On master:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
pidfile /var/run/slapd.pid
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCACertificateFile /etc/openldap/ca.crt
TLSCertificateFile /etc/openldap/server.example.com.ldap.crt
TLSCertificateKeyFile /etc/openldap/server.example.com.ldap.key
TLSVerifyClient demand
database bdb
suffix "dc=Corporate,dc=example,dc=COM"
rootdn "uid=root,ou=People,dc=Corporate,dc=example,dc=COM"
rootpw {SSHA}1234567890
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
replica uri=ldap://client.example.com:389
binddn="uid=root,ou=People,dc=Corporate,dc=example,dc=COM"
bindmethod=simple credentials=secret
replogfile /var/lib/ldap/openldap-master-replog
access to dn.one="ou=People,dc=Corporate,dc=example,dc=COM"
attr=userPassword,shadowLastChange
by self write
by * auth
access to *
by group.base="uid=root,ou=People,dc=Corporate,dc=example,dc=COM"
write
by * read
lastmod on
sizelimit 1000
On Slave:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
pidfile /var/run/slapd.pid
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCACertificateFile /etc/openldap/ca.crt
TLSCertificateFile /etc/openldap/certs/client.example.com.ldap.crt
TLSCertificateKeyFile /etc/openldap/certs/client.example.com.ldap.key
TLSVerifyClient demand
database bdb
suffix "dc=Corporate,dc=example,dc=COM"
rootdn "uid=root,ou=People,dc=Corporate,dc=example,dc=COM"
rootpw {SSHA}1234567890
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
updatedn "uid=root,ou=People,dc=Corporate,dc=example,dc=COM"
updateref ldap://server.example.com
access to dn.one="ou=People,dc=Corporate,dc=example,dc=COM"
attr=userPassword,shadowLastChange
by self write
by * auth
access to *
by group.base="uid=root,ou=People,dc=Corporate,dc=example,dc=COM"
write
by * read
lastmod on
sizelimit 1000